BA Shambles – Not a cyber attack – Its worse?

Being the victim of a cyber attack might have been a least worse option for British Airways? At least if they had been the victims of malicious cyber criminals there might have been a degree of sympathy. Instead the power outage explanation given in response to the sight of countless passengers stranded, sleeping on airport floors, might hint at a more troubling problem. Instead of being victims of the actions of an external third party, BA might might have no one but themselves to blame for their current predicament. After all, you can outsource services, but you can’t outsource responsibility, ultimately that is still yours.

The RTO (recovery time objective) of most disaster recovery plans can be measured in minutes, not hours or in the case of BA currently, days. So what has gone wrong? No doubt BA and their outsource IT providers, Tata Consultancy Services, will be raking over the ashes of this particular debacle in due course. Why did the secondary / duplicate systems, (or perhaps in the case of such critical systems the tertiary system) which presumably BA / Tata have, not switch in to solve the problem? But whilst we leave them to deal with those failures and the associated reputational damage, are there any lesson’s the rest of us can drawn from their misfortune?

Firstly, is this even a cyber security issue? In short yes. Cyber security is not merely about defending your organisation from cyber criminals, whether external (hackers) or internal (disgruntled employees). Ultimately security is about ensuring your business can function and deliver its products or services regardless of interference, criminal or otherwise. So, it can be argued that BA’s IT failure is a (cyber) security issue. It’s (cyber) security strategy and the business plans which should flow from that strategy have been found wanting. Either the strategy was non-existent, or associated plans not formulated and applied, or they were not appropriately tested to ensure they were sufficiently robust and would actually work when needed?

Bottom line, because that appears to have been the principle driver, the estimated cost of this weekend’s debacle is £150 million, for starters. There will countless be further costs, both reputational and financial. So, the failure to have an appropriate security strategy, duly funded, might with hindsight, prove to be a very false economy?

So, ask yourself this, would your organisation fair any better? Does your business have a risk based (cyber) security strategy? Is it solely focused towards attack by malicious external parties (hackers,) and has therefore been left with the IT department to handle? Or, does it consider wider risks to business continuity, (including IT)? And, as both Government and the IoD advise, is it a Board level responsibility to draft and apply? Does your have business continuity plans? Are they merely documents gathering dust and, have they been tested to ensure they’ll actually work when needed? No doubt many of these questions will be being asked of, or by, Alex Cruz in the coming weeks.